(Duo Security, 2016)
The security of two-factor authentication has been thought to be too complicated to break. Until recently, there have been little to no attack vectors or frameworks publicly available to break 2FA. Because of this, the only successful attacks to break 2FA have been achieved by skilled actors who build their own frameworks for specific use cases. However, malicious actors can now use prepackaged frameworks such as CredSniper to easily setup phishing sites to steal your password--even if you are using 2FA (Ustayready, 2017). CredSniper is a phishing framework written in flask--a python package--that can easily phish your passwords. While these types of attacks have not become common, they are expected to become more frequent as tools such as CredSniper become more widely available.
That brings us back to our original question: is two-factor authentication enough? Some security experts think that 2FA is dying and three-factor authentication (3FA) is its successor. 3FA requires users to have three levels of verification: knowledge (a password), possession (a phone or dongle where a code can be sent), and inherence (a biological trait such as an eye scan). In theory, 3FA has the ability to make 2FA even more secure than before by adding an additional layer of security (Rouse, 2014). However, as was seen with 2FA, the adoption curve for these types of technology lags behind the need for additional layers of security.
1. Do you have two-factor authentication enabled? If so, do you think it adds an extra layer of security?
2. 2FA is becoming more and more widely adopted and 3FA is on the horizon. Do you believe that 4FA will be the next step? What will the fourth form of authentication?
3. Would you be willing to provide an agency your biometric information to aid in 3FA? Why?
Works Cited:
Duo Security. (2016, June 02). What is Two-Factor Authentication? (2FA). Retrieved November 08, 2017, from https://www.youtube.com/watch?v=0mvCeNsTa1g
Rouse, M. (2014, December). What is three-factor authentication (3FA)? - Definition from WhatIs.com. Retrieved November 08, 2017, from http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA
Ustayready. (2017, October 31). CredSniper. Retrieved November 08, 2017, from https://github.com/ustayready/CredSniper/tree/master/modules/gmail/templates
I really enjoyed reading your post. I have used two factor authentication. I have it set up for my email so when I log in from an unknown computer, they'll text me a code to enter. I do believe it adds an extra layer of security. There are always people trying to hack other people, so I do believe that even though it is still hack able according to your post, it makes it harder for hackers.
ReplyDeleteI also do believe that 4FA will be inevitable because hackers will just try to find new ways to hack. It is impossible to make it 100% secure. So as hackers develop new innovative techniques in the future we may need to go more than 4 FA. I would be willing to use 3FA just because I know it'll be safer for my information. I believe 4FA will be something such as location or GPS enable. Using your exact location to enable your password.
Even though, it may invade into my privacy asking for biometric information, I personally think it is worth it for making my information more secure. There really is no other way because as security gets more tight, they only way to make sure that is really is you logging is something that will be more personal and invading your privacy.
Overall, I do believe that adding more factors to authentication is inevitable and is a good idea, because hackers will continue finding new ways to break into new things. Others may believe it is invading too much into their privacy by offering their biometric information or location. But I think it is bound to happen in the future.
Rouse, M. (2014, December). What is three-factor authentication (3FA)? - Definition from WhatIs.com. Retrieved November 20, 2017, from http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA
Will,
ReplyDeleteVery interesting post and I really enjoyed reading it. Two factor authentication is very important to me, not only because I use it but I try to get people to use it every day. I work for the Athletics IT Department at the UOFA and recently we had to get every employee using NetID+. Although I presented the benefits for them to switch, such as safer and more security, many people were still hesitant because of the extra time it took them to get passed two layers of security. I think to really get many people on board to two factor authentication, they must first experience a hack or breach of security on themselves.
Hi Will,
ReplyDeleteIn many cases, 2FA is not enough, and in some cases makes us more vulnerable to an attack. Many people use their phones as the source of their 2FA, receiving a code allowing for login. However, there is a major issue with this. Many phone carriers are extremely susceptible to social engineering and their have been many cases of individuals getting their phone numbers switched to an attackers phone. This may allow an attacker to even reset account passwords and completely take control of the targets life.
The most safe version of 2FA and the only version that people should use, is an authenticator app. These apps are not hackable unless someone gains physical access to the targets device.
This was a very interesting post about security. I use two-factor authentication most of the time, but not every time it is offered. I believe that it adds an extra later of security to prevent hackers from gaining access to whatever is protected by the two-factor authentication. Personally, I do not think that 4FA will be the next step in security. This additional step may deter users and add more of a hassle to gain access to the device. Although it would theoretically be more secure, people may not want to take the extra time to log-in. I would not want to provide biometric information for 3FA since I would not want that much of my information out there. 2FA is enough security for me and I believe it greatly deters hackers. I could see myself getting frustrated with the lags associated with 3FA and 4FA.
ReplyDelete2-factor authentication can be too complicated for frequent traveler like me. The idea of people must need a local phone number to authenticate is stressful. i would go back to my home country and realize my phone number got cancel, so i won't be able to access all my account online.
ReplyDeleteHowever, i do understand the importance of authentication. The most important is to find a balance of being save and being user-friendly. It is controversial that 2-factors authentication might not be enough, but the some users like me already consider 2-factors authentication to be too complicated.
This is a really interesting post, Will. I do have two factor authentication enabled for as many things as I can because of the added security. For my banking app I would definitely be open to having 3FA but for other mundane things like D2L I think 2FA is enough.
ReplyDeleteIf providing my bio metric information to companies makes my stuff more secure then I would be open to it.